你要的是这个么 ??
Time stamp: 3/15/2019 15:06:39
record number: 134747
status code: 4624
event type: Audit Success
Format message failed with 1813
ADMIN$
WORKGROUP
0x3e7
S-1-5-18
SYSTEM
NT AUTHORITY
0x3e7
5
Advapi
Negotiate
-
{00000000-0000-0000-0000-000000000000}
-
-
0
0x298
D:\Windows\System32\services.exe
-
-
%1833
普通登录 好像 就只能读出来这些东西
HANDLE GetMessageResources();
DWORD DumpRecordsInBuffer( PBYTE pBuffer, DWORD dwBytesRead );
DWORD GetEventTypeName( DWORD EventType );
LPWSTR GetMessageString( DWORD Id, DWORD argc, LPWSTR args );
void GetTimestamp( const DWORD Time, WCHAR DisplayString[] );
DWORD ApplyParameterStringsToMessage( CONST LPCWSTR pMessage, LPWSTR & pFinalMessage );
CONST LPWSTR pEventTypeNames[] = { L"Error", L"Warning", L"Informational", L"Audit Success", L"Audit Failure" };
HANDLE g_hResources = NULL;
void wmain( void )
{
HANDLE hEventLog = NULL;
DWORD status = ERROR_SUCCESS;
DWORD dwBytesToRead = 0;
DWORD dwBytesRead = 0;
DWORD dwMinimumBytesToRead = 0;
PBYTE pBuffer = NULL;
PBYTE pTemp = NULL;
hEventLog = OpenEventLog( NULL, L"Security" );
if ( NULL == hEventLog )
{
wprintf( L"OpenEventLog failed with 0x%x.\n", GetLastError() );
goto cleanup;
}
dwBytesToRead = MAX_RECORD_BUFFER_SIZE;
pBuffer = ( PBYTE )malloc( dwBytesToRead );
if ( NULL == pBuffer )
{
wprintf( L"Failed to allocate the initial memory for the record buffer.\n" );
goto cleanup;
}
while ( ERROR_SUCCESS == status )
{
if ( !ReadEventLog( hEventLog,
EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
0,
pBuffer,
dwBytesToRead,
&dwBytesRead,
&dwMinimumBytesToRead ) )
{
status = GetLastError();
if ( ERROR_INSUFFICIENT_BUFFER == status )
{
status = ERROR_SUCCESS;
pTemp = ( PBYTE )realloc( pBuffer, dwMinimumBytesToRead );
if ( NULL == pTemp )
{
wprintf( L"Failed to reallocate the memory for the record buffer (%d bytes).\n", dwMinimumBytesToRead );
goto cleanup;
}
pBuffer = pTemp;
dwBytesToRead = dwMinimumBytesToRead;
}
else
{
if ( ERROR_HANDLE_EOF != status )
{
wprintf( L"ReadEventLog failed with %lu.\n", status );
goto cleanup;
}
}
}
else
{
DumpRecordsInBuffer( pBuffer, dwBytesRead );
}
}
cleanup:
if ( hEventLog )
CloseEventLog( hEventLog );
if ( pBuffer )
free( pBuffer );
}
HANDLE GetMessageResources()
{
HANDLE hResources = NULL;
hResources = LoadLibraryEx( RESOURCE_DLL, NULL, LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE );
if ( NULL == hResources )
{
wprintf( L"LoadLibrary failed with %lu.\n", GetLastError() );
}
return hResources;
}
DWORD DumpRecordsInBuffer( PBYTE pBuffer, DWORD dwBytesRead )
{
DWORD status = ERROR_SUCCESS;
PBYTE pRecord = pBuffer;
PBYTE pEndOfRecords = pBuffer + dwBytesRead;
LPWSTR pMessage = NULL;
LPWSTR pFinalMessage = NULL;
WCHAR TimeStamp[ MAX_TIMESTAMP_LEN ];
while ( pRecord < pEndOfRecords )
{
{
GetTimestamp( ( ( PEVENTLOGRECORD )pRecord )->TimeGenerated, TimeStamp );
wprintf( L"Time stamp: %s\n", TimeStamp );
wprintf( L"record number: %lu\n", ( ( PEVENTLOGRECORD )pRecord )->RecordNumber );
wprintf( L"status code: %d\n", ( ( PEVENTLOGRECORD )pRecord )->EventID & 0xFFFF );
wprintf( L"event type: %s\n", pEventTypeNames[ GetEventTypeName( ( ( PEVENTLOGRECORD )pRecord )->EventType ) ] );
pMessage = GetMessageString( ( ( PEVENTLOGRECORD )pRecord )->EventCategory, 0, NULL );
if ( pMessage )
{
wprintf( L"event category: %s", pMessage );
LocalFree( pMessage );
pMessage = NULL;
}
PEVENTLOGRECORD tem = ( PEVENTLOGRECORD )pRecord;
pMessage = GetMessageString( tem->EventID,
( ( PEVENTLOGRECORD )pRecord )->NumStrings, ( LPWSTR )( pRecord + ( ( PEVENTLOGRECORD )pRecord )->StringOffset ) );
if ( pMessage )
{
status = ApplyParameterStringsToMessage( pMessage, pFinalMessage );
wprintf( L"event message: %s", ( pFinalMessage ) ? pFinalMessage : pMessage );
LocalFree( pMessage );
pMessage = NULL;
if ( pFinalMessage )
{
free( pFinalMessage );
pFinalMessage = NULL;
}
}
if ( ( ( PEVENTLOGRECORD )pRecord )->DataLength > 0 )
{
wprintf( L"event data: %s\n", ( LPWSTR )( pRecord + ( ( PEVENTLOGRECORD )pRecord )->DataOffset ) );
}
wprintf( L"\n" );
}
pRecord += ( ( PEVENTLOGRECORD )pRecord )->Length;
}
return status;
}
DWORD GetEventTypeName( DWORD EventType )
{
DWORD index = 0;
switch ( EventType )
{
case EVENTLOG_ERROR_TYPE:
index = 0;
break;
case EVENTLOG_WARNING_TYPE:
index = 1;
break;
case EVENTLOG_INFORMATION_TYPE:
index = 2;
break;
case EVENTLOG_AUDIT_SUCCESS:
index = 3;
break;
case EVENTLOG_AUDIT_FAILURE:
index = 4;
break;
}
return index;
}
LPWSTR GetMessageString( DWORD MessageId, DWORD argc, LPWSTR argv )
{
LPWSTR pMessage = NULL;
DWORD dwFormatFlags = FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ALLOCATE_BUFFER;
DWORD_PTR* pArgs = NULL;
LPWSTR pString = argv;
if ( argc > 0 )
{
pArgs = ( DWORD_PTR* )malloc( sizeof( DWORD_PTR ) * argc );
if ( pArgs )
{
dwFormatFlags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
for ( DWORD i = 0; i < argc; i++ )
{
pArgs[ i ] = ( DWORD_PTR )pString;
pString += wcslen( pString ) + 1;
wprintf( pString );
wprintf( L"\n" );
}
}
else
{
dwFormatFlags |= FORMAT_MESSAGE_IGNORE_INSERTS;
wprintf( L"Failed to allocate memory for the insert string array.\n" );
}
}
if ( !FormatMessage( dwFormatFlags,
g_hResources,
MessageId,
0,
( LPWSTR )&pMessage,
0,
( va_list* )pArgs ) )
{
wprintf( L"Format message failed with %lu\n", GetLastError() );
}
if ( pArgs )
free( pArgs );
return pMessage;
}
DWORD ApplyParameterStringsToMessage( CONST LPCWSTR pMessage, LPWSTR & pFinalMessage )
{
DWORD status = ERROR_SUCCESS;
DWORD dwParameterCount = 0;
size_t cbBuffer = 0;
size_t cchBuffer = 0;
size_t cchParameters = 0;
size_t cch = 0;
DWORD i = 0;
LPWSTR* pStartingAddresses = NULL;
LPWSTR* pEndingAddresses = NULL;
DWORD* pParameterIDs = NULL;
LPWSTR* pParameters = NULL;
LPWSTR pTempMessage = ( LPWSTR )pMessage;
LPWSTR pTempFinalMessage = NULL;
while ( pTempMessage = wcschr( pTempMessage, L'%' ) )
{
dwParameterCount++;
pTempMessage++;
}
if ( 0 == dwParameterCount )
{
pFinalMessage = NULL;
goto cleanup;
}
cbBuffer = sizeof( LPWSTR ) * dwParameterCount;
pStartingAddresses = ( LPWSTR* )malloc( cbBuffer );
if ( NULL == pStartingAddresses )
{
wprintf( L"Failed to allocate memory for pStartingAddresses.\n" );
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory( pStartingAddresses, cbBuffer );
pEndingAddresses = ( LPWSTR* )malloc( cbBuffer );
if ( NULL == pEndingAddresses )
{
wprintf( L"Failed to allocate memory for pEndingAddresses.\n" );
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory( pEndingAddresses, cbBuffer );
pParameters = ( LPWSTR* )malloc( cbBuffer );
if ( NULL == pParameters )
{
wprintf( L"Failed to allocate memory for pEndingAddresses.\n" );
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory( pParameters, cbBuffer );
pParameterIDs = ( DWORD* )malloc( cbBuffer );
if ( NULL == pParameterIDs )
{
wprintf( L"Failed to allocate memory for pParameterIDs.\n" );
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory( pParameterIDs, cbBuffer );
pTempMessage = ( LPWSTR )pMessage;
while ( pTempMessage = wcschr( pTempMessage, L'%' ) )
{
if ( isdigit( *( pTempMessage + 1 ) ) )
{
pStartingAddresses[ i ] = pTempMessage;
pTempMessage++;
pParameterIDs[ i ] = ( DWORD )_wtoi( pTempMessage );
while ( isdigit( *++pTempMessage ) )
;
pEndingAddresses[ i ] = pTempMessage;
i++;
}
}
for ( DWORD i = 0; i < dwParameterCount; i++ )
{
pParameters[ i ] = GetMessageString( pParameterIDs[ i ], 0, NULL );
if ( NULL == pParameters[ i ] )
{
wprintf( L"GetMessageString could not find parameter string for insert %lu.\n", i );
status = ERROR_INVALID_PARAMETER;
goto cleanup;
}
cchParameters += wcslen( pParameters[ i ] );
}
pTempMessage = ( LPWSTR )pMessage;
cbBuffer = ( wcslen( pMessage ) + cchParameters + 1 ) * sizeof( WCHAR );
pFinalMessage = ( LPWSTR )malloc( cbBuffer );
if ( NULL == pFinalMessage )
{
wprintf( L"Failed to allocate memory for pFinalMessage.\n" );
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory( pFinalMessage, cbBuffer );
cchBuffer = cbBuffer / sizeof( WCHAR );
pTempFinalMessage = pFinalMessage;
for ( DWORD i = 0; i < dwParameterCount; i++ )
{
wcsncpy_s( pTempFinalMessage, cchBuffer, pTempMessage, cch = ( pStartingAddresses[ i ] - pTempMessage ) );
pTempMessage = pEndingAddresses[ i ];
cchBuffer -= cch;
pTempFinalMessage += cch;
wcscpy_s( pTempFinalMessage, cchBuffer, pParameters[ i ] );
cchBuffer -= cch = wcslen( pParameters[ i ] );
pTempFinalMessage += cch;
}
wcscpy_s( pTempFinalMessage, cchBuffer, pTempMessage );
cleanup:
if ( ERROR_SUCCESS != status )
pFinalMessage = ( LPWSTR )pMessage;
if ( pStartingAddresses )
free( pStartingAddresses );
if ( pEndingAddresses )
free( pEndingAddresses );
if ( pParameterIDs )
free( pParameterIDs );
for ( DWORD i = 0; i < dwParameterCount; i++ )
{
if ( pParameters[ i ] )
LocalFree( pParameters[ i ] );
}
return status;
}
void GetTimestamp( const DWORD Time, WCHAR DisplayString[] )
{
ULONGLONG ullTimeStamp = 0;
ULONGLONG SecsTo1970 = 116444736000000000;
SYSTEMTIME st;
FILETIME ft, ftLocal;
ullTimeStamp = Int32x32To64( Time, 10000000 ) + SecsTo1970;
ft.dwHighDateTime = ( DWORD )( ( ullTimeStamp >> 32 ) & 0xFFFFFFFF );
ft.dwLowDateTime = ( DWORD )( ullTimeStamp & 0xFFFFFFFF );
FileTimeToLocalFileTime( &ft, &ftLocal );
FileTimeToSystemTime( &ftLocal, &st );
StringCchPrintf( DisplayString, MAX_TIMESTAMP_LEN, L"%d/%d/%d %.2d:%.2d:%.2d",
st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond );
}
刚才跑了下 实在是没得你那种时间类型 这个是windows 的源码 我稍微改了下
地址 :https://docs.microsoft.com/zh-cn/windows/desktop/EventLog/querying-for-event-source-messages